Also I forgot to metion I am not calling login module myself, everything is defined as per JAAS, I try to access page for thr first time, application prompts me for username and password page whose action is j_security_check, after that I login, and I see cookie and also get request.getUserPrincipal value

The JAAS module and LoginProvider should both pull identical username and password data. Hence, its best to use a JAAS Module that actually uses the same LoginProvider to get username/password information from the datastore..

The standard JAAS module you are using is pulling username nick10 and password nick10.

Is the LoginProvider you hooked in providing the same data (username=nick10 and password=nick10).

Easiest way to test this is whatever values for username=nick10 is pulled from the LoginProvider, make those same values in user.properties and test it.

This should make SSO login over to nick2/test.jsp....I see proper Principal in the Console log.

Basically: JAAS Module and LoginProvider must both pull same username and password data....Hence, I treat JAAS Module as a Façade for tomcat authentication but use LoginProvider to pull all info in the JAAS module implementation.

Since JAAS is pretty intense to configure, I am probably going to add support for non-JAAS logins in the SSO framework soon.

As a user I write my own LoginModule complaint to JAAS, (class extending AbstractServerLoginModule)

We all are famliar with JAAS and we know what methods body shd we for Authentication. Even if we use LoginProvider inside JAAS module,login() method makes sense and from JAAS class login method we can call LoginProvider login method, but again like in my application I need more params for user to log in. However the login method in LoginProvider takes only username and password arguments, I can always concatinate other params and send it as username but still, as a user I wont feel comfartable about it.

Similarly readAllRoles makes sense and can be linked with readRoleSets of jboss

But about other methods of LoginModule like exists, read , were should we hook in thse methods with our custom JAAS code.

There should be more explanation about this.

Other thing is Identity, it is defined as a class with fixed getter and setter, there is a possibility that user needs more and less getter and setter. Like in normal JAAS we just rrtuen Principal object.

May be my understanding here is wrong but this is what came to my mind and I thought that I should share it with you. Please do not thinkthat I am complaining. All you Jboss guys are great and as a user ofyour products I am always thankful for all the efforts and contribution of jboss teams for the industry.